Powershell: Get SHA256 Thumbprint from vCenter server using Powershell Core. (NSX-T Compute Manager Registration related)

Summary:
Had a need to pull a target vCenter's SSL certificate and convert it's thumbprint to SHA256 format to register to NSX-T Manager using Powershell core.  Servicepoint was not available in Core.

Noticed also recently Lam updated his approach to take Core into account.  My approach is slightly different and my script will also return the certificate object back if you so choose rather than just the SHA256 value.  Anyway, I've tested in PS Core 6.0.4 and 6.1 on Ubuntu, CentOS, and MacOS and my function seems to work fine.  Let me know if you see otherwise.

GIST below:
Function Get-SSLCert{
[CmdletBinding()]
<#
.SYNOPSIS
Gets SSL certificate of remote system.
.DESCRIPTION
Gets SSL certificate of remote system in order to get it's thumbprint.
.EXAMPLE
Get-SSLCert tech.zsoldier.com
Returns the certificate as object.
.EXAMPLE
Get-SSLCert tech.zsoldier.com -SHA256Thumbprint
This will simply output the certificates thumbprint as SHA256 format replacing "-" with ":".
Made to enable capturing a vCenter certificate's thumbprint in SHA256 format to register in NSX-T as a compute manager.
.PARAMETER SHA256Thumbprint
Captures certificate and outputs SHA256 formatted thumbprint. Defaults to false.
.PARAMETER URI
Required string value can be DNS or IP Address.
.PARAMETER Port
Define the port to connect to. 443 is default, can be modified to match endpoints actual port for SSL communications.
Port 636 is met w/ mixed results, unsure why this has issues. Try using 3389 instead to get cert.
.PARAMETER DownloadCert
Downloads the target's cert to current path.
.NOTES
Authored by: K. Chris Nakagaki
https://tech.zsoldier.com
#>
param (
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty]
[string]
$URI,
[Parameter(Mandatory=$false)]
[switch]
$SHA256Thumbprint=$false,
[int]
$Port = 443,
[switch]
$DownloadCert
)
$Certificate = $null
$TcpClient = New-Object -TypeName System.Net.Sockets.TcpClient
try
{
$TcpClient.Connect($URI, $Port)
$TcpStream = $TcpClient.GetStream()
$Callback = { param($sender, $cert, $chain, $errors) return $true }
$SslStream = New-Object -TypeName System.Net.Security.SslStream -ArgumentList @($TcpStream, $true, $Callback)
try
{
$SslStream.AuthenticateAsClient($URI)
$Certificate = $SslStream.RemoteCertificate
}
finally
{
$SslStream.Dispose()
}
}
finally
{
$TcpClient.Dispose()
}
if ($Certificate) {
if ($Certificate -isnot [System.Security.Cryptography.X509Certificates.X509Certificate2]) {
$Certificate = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList $Certificate
}
$SHA256 = [Security.Cryptography.SHA256]::Create()
$Bytes = $Certificate.GetRawCertData()
$HASH = $SHA256.ComputeHash($Bytes)
$thumbprint = [BitConverter]::ToString($HASH).Replace('-',':')
Switch ($SHA256Thumbprint)
{
$false
{
Write-Output $Certificate
}
$true
{
Write-Output $thumbprint
}
}
Switch ($DownloadCert)
{
$false
{
Write-Output $Certificate
}
$true
{
$randomnum = Get-Random
$subjectname = $Certificate.subject.replace("C=","").replace("CN=","").replace(",","")
$randomfilename = ($subjectname + $randomnum + ".cer")
$directory = (Get-Location).path
[System.IO.File]::WriteAllBytes(($directory + "/" + $randomfilename),$Certificate.RawData)
}
}
}
}
view raw Get-SSLCert.ps1 hosted with ❤ by GitHub

Comments

Unknown said…
Hi Chris,

I am in a learning curve of PowerShell, if you don't mine can you please walk me through how to use this script.


Thanks for understanding.


November 16, 2018 at 12:56 PM
Zsoldier said…
Sure thing. To use it is quite simple. From a PowerShell window, you can simply copy all the text on this page and paste into that PowerShell window. Once you do that, you can now call that function by typing “Get-SSLCert google.com” without the quotes. That’s one way to use it. Other ways are by simply saving the code above into a ps1 file (literally a text document with a .ps1 extension instead of a .txt) and using import-module nameofps1file.ps1.
November 19, 2018 at 2:46 PM
JC said…
Thanks for posting this, it's exactly what I needed.
February 10, 2022 at 9:44 AM
Post a Comment

Popular posts from this blog

VMware | AVS: Content Library or Non vCenter objects on VSAN produces unassociated but valid objects

Image
Summary: Creating or Subscribing to a Content Library on vSAN is typical practice, but the annoying side effect?  Objects created on vSAN datastore that show up as "unassociated" objects and guess what, they simply inherit the Cluster's default VSAN policy at time of import.  Yeah, dumb right?  Also, by vSAN Operations Guide Standards section 6721 subsection 4 , you shouldn't do this. So then what? In Azure VMware Solution(AVS) , you have a couple of options.  You can do what the operations guide tells you that you shouldn't do or you can do something better.  Regardless of these options, the one thing you should do, is create a global content library.   Create Global Content Library:  here are instructions to create one on an Azure blob store. You should do this, makes life easier if you can. Also a fun little experiment to play w/ Azure Functions Centralized Storage of your ISO/OVF's etc. Attach external storage (Not necessary, but I'll explain ...
Read more

NSX-T: Release associated invalid node ID from certificate

Image
Summary: Basically had an expiring certificate registered in NSX-T that was associated to a node_id that is no longer valid.  Long story short, there wasn't anything obvious in API to delete or disassociate a certificate from a node_id for 3.2.2.  Not sure how things got in this state, but annotating for future reference.  This may change in future revisions, so always check API for latest. Details: Effectively had a stale node associated w/ a certificate that was expiring.  Could not delete certificate until that node was disassociated from the certificate. To get certificate details and associated node_id's, you can use the following curl call (UI works too): curl -k -X GET -H "Content-Type: application/json" -u admin https://<manager ip>/api/v1/trust-management/certificates/<cert UUID> Above will return something like this: Below must be run from one of the manager nodes via elevation to root: ONLY RUN THIS IF YOU ARE ABSOLUTELY SURE OF WHAT YOU ARE DO...
Read more

iOS: Sleep Focus activating on wrong time zone

Image
Time is Relative Summary: For some strange reason, my sleep focus, was activating based upon my home timezone of EST while traveling to Japan and Australia.  My phone's timezone was correct as was my apple watch that is set to mirror my iPhone. [ Update:   While resolution below may help in some situations, I found my issue to be that I left a device (macbook pro) logged in and running in my home timezone while in Australia. It seems that there is no 'primary' controller for initializing focus modes.  It's basically whatever device sends the "It's focus time" message.  Which now explains why I has having such issues. So Apple needs to fix this by defining a primary device (should be my iPhone/Apple Watch IMYHO) so weird people like me who have multiple devices can get proper sleep outside my home timezone. ] Workaround/Resolution: Check if you have another other Apple device logged in with your Apple ID in your home location.  Chances are, if you do, that ...
Read more